On your system you typically want to restrict your file permissions to the maximum for best security, but not as much as b2evolution will not be able to save uploaded or cached files any more.

Optimal file permissions are basically a tradeoff between security and flexibility.

Now if you list ( ls -la ) the files from your blog directory, you will see something like this:

drwxr-xr-x  12 fplanque  staff    408  5 mar 03:44 cache
drwxr-xr-x  18 fplanque  staff    612  6 mar 00:31 conf
drwxr-xr-x   8 fplanque  staff    272  1 mar 01:48 cron
-rw-r--r--   1 fplanque  staff   1406 12 déc  2011 favicon.ico
drwxr-xr-x  22 fplanque  staff    748  6 mar 00:31 htsrv
drwxr-xr-x  45 fplanque  staff   1530  1 mar 01:48 inc
-rw-r--r--   1 fplanque  staff   2022  1 mar 01:48 index.php
drwxr-xr-x  14 fplanque  staff    476  1 mar 01:48 install
drwxr-xr-x  16 fplanque  staff    544  6 mar 00:31 locales
drwxr-xr-x   8 fplanque  staff    272  5 mar 03:44 media

if you look at the cache or the media folder for example, you will see the following info:

• The owner of those directories is "fplanque" and he has permissions "rwx" (read write execute)
• The group of those directories is "staff" and members of that group have permissions "r-x" (read & execute but not write – note that execute is necessary to be able to open the directory)
• The other users of the system have permissions "r-x" (read & execute but not write)

Now, will b2evolution be able to write the files it needs into /cache or /media ?

Well, it depends under which UNIX user account b2evolution is running!

In order to determine this, look at system status page in b2evolution. You will see something like this:

In this case, all is fine. PHP is running as "fplanque" and "fplanque" has write permissions to the cache and media directories.

Now, this is a development machine, so it was easy, but let’s suppose we now run on a server an PHP runs as user "www-data". "www-data" has only permissions "r-x", because "www-data" would be considered and an "other" user here. However, we don’t want to give write permissions to all other users, so what we may do is first change the group of the files, for example like this:

chgrp -R www-data /path/to/blogs

Now we would have this:

drwxr-xr-x  12 fplanque  www-data    408  5 mar 03:44 cache
drwxr-xr-x  18 fplanque  www-data    612  6 mar 00:31 conf
drwxr-xr-x   8 fplanque  www-data    272  1 mar 01:48 cron
-rw-r--r--   1 fplanque  www-data   1406 12 déc  2011 favicon.ico
drwxr-xr-x  22 fplanque  www-data    748  6 mar 00:31 htsrv
drwxr-xr-x  45 fplanque  www-data   1530  1 mar 01:48 inc
-rw-r--r--   1 fplanque  www-data   2022  1 mar 01:48 index.php
drwxr-xr-x  14 fplanque  www-data    476  1 mar 01:48 install
drwxr-xr-x  16 fplanque  www-data    544  6 mar 00:31 locales
drwxr-xr-x   8 fplanque  www-data    272  5 mar 03:44 media

But that is not enough, because now "www-data" is the group but the group still only has the permissions "r-x".

So we now need to give write permission to the group on the desired directories (and their subdirectories):

chmod -R g+w /path/to/blogs/cache
chmod -R g+w /path/to/blogs/media

Now we have:

drwxrwxr-x  12 fplanque  www-data    408  5 mar 03:44 cache
drwxr-xr-x  18 fplanque  www-data    612  6 mar 00:31 conf
drwxr-xr-x   8 fplanque  www-data    272  1 mar 01:48 cron
-rw-r--r--   1 fplanque  www-data   1406 12 déc  2011 favicon.ico
drwxr-xr-x  22 fplanque  www-data    748  6 mar 00:31 htsrv
drwxr-xr-x  45 fplanque  www-data   1530  1 mar 01:48 inc
-rw-r--r--   1 fplanque  www-data   2022  1 mar 01:48 index.php
drwxr-xr-x  14 fplanque  www-data    476  1 mar 01:48 install
drwxr-xr-x  16 fplanque  www-data    544  6 mar 00:31 locales
drwxrwxr-x   8 fplanque  www-data    272  5 mar 03:44 media

"www-data" has now "rwx" access to the cache and media folders which means PHP/b2evolution will be able to write files there.

Note: we only gave "www-data" permission on these 2 directories. If we wanted to enable b2evolution to upgrade itself we would need to enable write access for all files and directories. But as long as we don’t use the Auto Upgrade feature it’s best to keep permissions tight.

Speaking of tight permissions: why did we not change the owner of the files to "www-data" so that we don’t need to change permissions for the group? Because if we did that then we would no longer we able to update our files via FTP which is not what we want either ;) (Note: we could always add "fplanque" to the "www-data" group but that would open additional security issues, so we don’t want to do that.)